---
layout: docs
page_title: GCP Cloud KMS
description: Manage the lifecycle of keys in GCP Cloud KMS key rings with the Key Management secrets engine plugin.
---

# GCP Cloud KMS

The key management secrets engine supports lifecycle management of keys in GCP Cloud KMS
[key rings](https://cloud.google.com/kms/docs/resource-hierarchy#key_rings). This is accomplished
by configuring a KMS provider resource with the `gcpckms` provider and other provider-specific
parameter values.

The following sections describe how to properly configure the secrets engine to enable
the functionality.

Refer to the [setup guide](/vault/docs/secrets/key-management/gcpkms/setup) for CLI command examples.

## Authentication

The key management secrets engine must be configured with credentials that have sufficient
permissions to manage keys in an existing GCP Cloud KMS [key ring](https://cloud.google.com/kms/docs/resource-hierarchy#key_rings).
The authentication parameters are described in the [credentials](/vault/api-docs/secret/key-management/gcpkms#credentials)
section of the API documentation. The authentication parameters will be set with the following order
of precedence:

1. `GOOGLE_CREDENTIALS` environment variable
2. [KMS provider credentials](/vault/api-docs/secret/key-management/gcpkms#credentials) parameter
3. [Application default credentials](https://cloud.google.com/docs/authentication/production)

The service account must be authorized with the following minimum
[IAM permissions](https://cloud.google.com/kms/docs/reference/permissions-and-roles) on the
target [key ring](https://cloud.google.com/kms/docs/resource-hierarchy#key_rings) resource:

- `cloudkms.cryptoKeys.create`
- `cloudkms.cryptoKeys.update`
- `cloudkms.importJobs.create`
- `cloudkms.importJobs.get`
- `cloudkms.importJobs.useToImport`
- `cloudkms.cryptoKeyVersions.list`
- `cloudkms.cryptoKeyVersions.destroy`
- `cloudkms.cryptoKeyVersions.update`
- `cloudkms.cryptoKeyVersions.create`


## Key transfer specification

Keys are securely transferred from the secrets engine to GCP Cloud KMS in accordance
with the [key import](https://cloud.google.com/kms/docs/key-import) specification.

## Key purpose compatibility

The following table defines which key [purposes](/vault/api-docs/secret/key-management#purpose) can be used
for each key type supported by GCP Cloud KMS.

| Key Type       | Purpose                 |
| -------------- | ----------------------- |
| `aes256-gcm96` | `encrypt` and `decrypt` |
| `rsa-2048`     | `decrypt` or `sign`     |
| `rsa-3072`     | `decrypt` or `sign`     |
| `rsa-4096`     | `decrypt` or `sign`     |
| `ecdsa-p256`   | `sign`                  |
| `ecdsa-p384`   | `sign`                  |
